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Abstract 

A method of analyzing time bounds for randomized distributed algorithms is presented, 
in the context of a new and general framework for describing and reasoning about random- 
ized algorithms. The method consists of proving auxiliary statements of the form U — ^ U' , 

which means that whenever the algorithm begins in a state in set U , with probability p, 
it will reach a state in set U' within time t. The power of the method is illustrated by its 
use in proving a constant upper bound on the expected time for some process to reach its 
critical region, in Lehmann and Rabin's Dining Philosophers algorithm. 
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1 Introduction 



Randomization has proved to be a useful tool in the design of distributed algorithms, sometimes 
yielding efficient solutions to problems that are inherently complex, or even unsolvable, in 
the setting of deterministic algorithms [?,?,?,?]. But this powerful tool has a price: even 
simple randomized algorithms can be extremely hard to verify and analyze. Because of this, 
many randomized distributed algorithms appear in the literature with only informal proofs of 
correctness, and only informal derivation of complexity bounds. In fact, it is sometimes hard 
for the reader to ascertain that the proofs and complexity bounds presented are really correct. 
Even where proofs are carefully and correctly done, the arguments tend to be ad hoc. 

A key difficulty in reasoning about randomized algorithms is the fact that their executions 
usually contain a combination of nondeterministic and probabilistic choices, with subtle in- 
teractions between them. The probabilistic choices are typically only those that involve an 
explicit use of randomness by the algorithm (e.g., by using a random-number generator). All 
other choices (e.g., the order of process steps, the times at which requests arrive) are usually 
considered to be nondeterministic. It is customary to define an adversary as a way of modeling 
the entity that resolves the nondeterministic choices. 1 In defining an adversary, one must be 
especially careful to specify the knowledge of the execution that the adversary is permitted 
to use in resolving nondeterministic choices. This might range from no knowledge at all, in 
which case the adversary is said to be oblivious, to complete knowledge of the past execution 
(including past random choices). 

Even after one has defined the desired notion of adversary, it is still not easy to carry out 
correctness proofs and complexity analyses for randomized algorithms; most existing proofs 
seem rather ad hoc. It would be useful to have a collection of general proof rules and methods, 
which could be established once and for all, and then applied in a reasonably systematic way to 
verify and analyze numerous algorithms. Some examples of work that has already been done 
on the development of such methods is [?,?,?]. The work of [?] presents a technique, based 
on progress functions defined on states, for establishing liveness properties for randomized 
algorithms; the work of [?,?] presents model checking techniques. 

In this paper, we present such a new method: a way of proving upper bounds on time 
for randomized algorithms. Our method consists of proving auxiliary statements of the form 
U —^U', which means that whenever the algorithm begins in a state in set U, with probability 

p, it will reach a state in set U' within time /. Of course, this method can only be used for 
randomized algorithms that include timing assumptions. A key theorem about our method is 
the composability of these U U' arrows, as expressed by Theorem 3.4. This composability 

result holds even in the case of (many classes of) non-oblivious adversaries. 

We also present two complementary proof rules that help in reasoning about sets of distinct 
random choices. Independence arguments about such choices are often crucial to correctness 
proofs, yet there are subtle ways in which a non-oblivious adversary can introduce depen- 
dencies. For example, a non-oblivious adversary has the power to use the outcome of one 
random choice to decide whether to schedule another random choice. Our proof rules help to 
systematize certain kinds of reasoning about independence. 

1 In this paper, we ignore the possibility that the adversary itself uses randomness. 
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Our proof rules are presented in the context of a new and general formal framework [?] for 
describing and reasoning about randomized algorithms. This framework integrates randomness 
and nondeterminism into one model, and permits the modeling of timed as well as untimed 
systems. The model of [?] is, in turn, based on existing models for untimed and timed 
distributed systems [?,?], and adopts many ideas from the probabilistic models of [?,?]. 

In order to illustrate our method, we use it in this paper to prove an upper bound for 
Lehmann and Rabin's Dining Philosophers algorithm [?], in the face of an adversary with 
complete knowledge of the past. This upper bound asserts that T -^jg C, where T is the set 

of states in which some process is in its trying region, while C is the set of states in which 
some process is in its critical region. That is, whenever the algorithm is in a state in which 
some process is in the trying region, with probability 1/8, within time 13, it will reach a state 
in which some process is in its critical region. This bound depends on the timing assumption 
that processes never wait more then time 1 between steps. A consequence of this claim is an 
upper bound (of 63) on the expected time for some process to reach its critical region. 

For comparison, we note that [?] contains only proof sketches of the results claimed. The 
paper [?] contains a proof that Lehmann and Rabin's algorithm satisfies an eventual progress 
condition, in the presence of an adversary with complete knowledge of the past; this proof is 
carried out as an instance of Zuck and Pnueli's general method for proving liveness properties. 
Our results about this protocol can be regarded as a refinement of the results of Zuck and 
Pnueli, in that we obtain explicit constant time bounds rather than liveness properties. 

The rest of the paper is organized as follows. Section 2 presents a simplified version of the 
model of [?]. Section 3 presents our main proof technique based on time-bound statements. 
Section 4 presents the additional proof rules for independence of distinct probabilistic choices. 
Section 5 presents the Lehmann- Rabin algorithm. Section 6.2 formalizes the algorithm in 
terms of the model of Section 2, and gives an overview of our time bound proof. Section 7 
gives some concluding remarks. A separate appendix contains the details of the time bound 
proof. 

2 The Model 

In this section, we present the model that is used to formulate our proof technique. It is a 
simplified version of the probabilistic automaton model of [?]. Here we only give the parts of 
the model that we need to describe our proof method and its application to the Lehmann- Rabin 
algorithm; we refer the reader to the full version of this paper and to [?] for more details. 

Definition 2.1 A probabilistic automaton 2 M consists of four components: 

• a set states(M) of states. 

• a nonempty set start(M) C states(M) of start states. 

2 In [?] the probabilistic automata of this definition are called simple probabilistic automata. This is because 
that paper also includes the case of randomized adversaries. 
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• an action signature sig(M) = (ext(M), int(M)) where ext(M) and int(M) are disjoint 
sets of external and internal actions, respectively. 

• a transition relation steps(M) C states(M) X acts(M) X Probs(states(M)) , where the set 
Probs(states(M)) is the set of probability spaces (fi,.F, P) such that fi C states(M) and 
T = 2°. The last requirement is needed for technical convenience. 

A probabilistic automaton is fully probabilistic if it has a unique start state and from each 
state there is at most one step enabled. ■ 

Thus, a probabilistic automaton is a state machine with a labeled transition relation such 
that the state reached during a step is determined by some probability distribution. For exam- 
ple, the process of flipping a coin is represented by a step labeled with an action flip where 
the next state contains the outcome of the coin flip and is determined by a probability distribu- 
tion over the two possible outcomes. A probabilistic automaton also allows nondeterministic 
choices over steps. An example of nondeterminism is the choice of which process takes the 
next step in a multi-process system. 

An execution fragment a of a probabilistic automaton M is a (finite or infinite) sequence 
of alternating states and actions starting with a state and, if the execution fragment is finite, 
ending in a state, a = s ais 1 a 2 s 2 • • •, where for each i there exists a probability space (0, J 7 , P) 
such that (sj, and Sj_|_i G fi. Denote by fstate(oi) the first state of 

a and, if a is finite, denote by Istate(a) the last state of a. Furthermore, denote by frag*(M) 
and frag(M) the sets of finite and all execution fragments of M, respectively. An execution is 
an execution fragment whose first state is a start state. Denote by exec*(M) and exec(M) the 
sets of finite and all executions of M, respectively. A state s of M is reachable if there exists 
a finite execution of M that ends in s. Denote by rstates(M) the set of reachable states of M. 

A finite execution fragment = So a i s i • • ~ a n s n of M and an execution fragment a 2 = 
s n a n+ is n+ i ■ ■ ■ of M can be concatenated . In this case the concatenation, written ai^a 2 , is 
the execution fragment So a i s i • • • a n s n a n+i s n+i • • •• An execution fragment of M is a prefix 
of an execution fragment a 2 of M, written < a 2 , if either = a 2 or is finite and there 
exists an execution fragment a[ of M such that a 2 = ai^-a[. 

In order to study the probabilistic behavior of a probabilistic automaton, some mechanism 
to remove nondeterminism is necessary. To give an idea of why the nondeterministic behavior 
should be removed, consider a probabilistic automaton with three states s , «i, s 2 and with two 
steps enabled from its start state s ; the first step moves to state Si with probability 1/2 and 
to s 2 with probability 1/2; the second step moves to state Si with probability 1/3 and to s 2 
with probability 2/3. What is the probability of reaching state Si? The answer depends on 
how the nondeterminism between the two steps is resolved. If the first step is chosen, then 
the probability of reaching state Si is 1/2; if the second step is chosen, then the probability of 
reaching state Si is 1/3. We call the mechanism that removes the nondeterminism an adversary, 
because it is often viewed as trying to thwart the efforts of a system to reach its goals. In 
distributed systems the adversary is often called the scheduler, because its main job may be 
to decide which process should take the next step. 
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Definition 2.2 An adversary for a probabilistic automaton M is a function A taking a finite 
execution fragment of M and giving back either nothing (represented as 8) or one of the enabled 
steps of M if there are any. Denote the set of adversaries for M by Advs M 3 . ■ 

Once an adversary is chosen, a probabilistic automaton can run under the control of the 
chosen adversary. The result of the interaction is called an execution automaton. The definition 
of an execution automaton, given below, is rather complicated because an execution automaton 
must contain all the information about the different choices of the adversary, and thus the states 
of an execution automaton must contain the complete history of a probabilistic automaton. 
Note that there are no nondeterministic choices left in an execution automaton. 

Definition 2.3 An execution automaton H of a probabilistic automaton M is a fully proba- 
bilistic automaton such that 

1. states(H) C frag*(M). 

2. for each step (a, a, (0, J 7 , P)) of H there is a step (Istate(a), a, (1)', J 7 ', P')) of M, called 
the corresponding step, such that = {aas|s £ 0'} and P'[aas] = P[s] for each s G 0'. 

3. each state of H is reachable, i.e., for each a £ states(H) there exists an execution of H 
leading to state a. ■ 

Definition 2.4 Given a probabilistic automaton M, an adversary A G Advs M , and an execu- 
tion fragment a £ frag*(M), the execution H(M, A, a) of M under adversary A with starting 
fragment a is the execution automaton of M whose start state is a and such that for each step 
(a 1 , a, (0, J 7 , P)) G steps(H(M, A, a)), its corresponding step is the step A(a'). ■ 

Given an execution automaton H , an event is expressed by means of a set of maximal 
executions of H , where a maximal execution of H is either infinite, or it is finite and its last 
state does not enable any step in H . For example, the event "eventually action a occurs" is the 
set of maximal executions of H where action a does occur. A more formal definition follows. 
The sample space £l H is the set of maximal executions of H. The u-algebra Th is the smallest 
ex-algebra that contains the set of rectangles R a , consisting of the executions of £l H having a 
as a prefix 4 . The probability measure P H is the unique extension of the probability measure 
defined on rectangles as follows: P# is the product of the probabilities of each step of H 
generating a. In [?] it is shown that there is a unique probability measure having the property 
above, and thus (£l H ,J 7 H ,P H ) is a well defined probability space. For the rest of this abstract 
we do not need to refer to this formal definition any more. 

Events of Th are not sufficient for the analysis of a probabilistic automaton. Events are 
defined over execution automata, but a probabilistic automaton may generate several execution 
automata depending on the adversary it interacts with. Thus a more general notion of event 
is needed that can deal with all execution automata. Specific examples are given in Section 3. 

3 In [?] the adversaries of this definition are denoted by DAdvsM, where D stands for Deterministic. The 
adversaries of [?] are allowed to use randomness. 

4 Note that a rectangle R a can be used to express the fact that the finite execution a occurs. 
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Definition 2.5 An event schema e for a probabilistic automaton M is a function associating 
an event of Th with each execution automaton H of M. ■ 



We now discuss briefly a simple way to handle time within probabilistic automata. The 
idea is to add a time component to the states of a probabilistic automaton, to assume that 
the time at a start state is 0, to add a special non-visible action v modeling the passage of 
time, and to add arbitrary time passage steps to each state. A time passage step should be 
non-probabilistic and should change only the time component of a state. This construction is 
called the patient construction in [?,?,?]. The reader interested in a more general extension 
to timed models is referred to [?]. 

We close this section with one final definition. Our time bound property for the Lehmann- 
Rabin algorithm states that if some process is in its trying region, then no matter how the 
steps of the system are scheduled, some process enters its critical region within time / with 
probability at least p. However, this claim can only be valid if each process has sufficiently 
frequent chances to perform a step of its local program. Thus, we need a way to restrict the 
set of adversaries for a probabilistic automaton. The following definition provides a general 
way of doing this. 

Definition 2.6 An adversary schema for a probabilistic automaton M , denoted by Advs, is 
a subset of Advs M . ■ 

3 The Proof Method 

In this section, we introduce our key statement U ——^Advs V and the composability theorem, 
which is our main theorem about the proof method. 

The meaning of the statement U ——^Advs V is that, starting from any state of U and under 

any adversary A of Advs, the probability of reaching a state of U' within time / is at least p. 
The suffix Advs is omitted whenever we think it is clear from the context. 

Definition 3.1 Let eu\t be the event schema that, applied to an execution automaton H , 
returns the set of maximal executions a of H where a state from U' is reached in some 

state of a within time /. Then U ——>Advs U' iff f° r each s G U and each A G Advs, 

p 

P H (M,AA e U'AH{M, A, s))} > P . m 

Proposition 3.2 Let U, U', U" be sets of states of a probabilistic automaton M . 

If U -U U', then U U U" -U U' U U" . ■ 

J p ' p 

In order to compose time bound statements, we need a restriction for adversary schemas 
stating that the power of the adversary schema is not reduced if a prefix of the past history of 
the execution is not known. Most adversary schemas that appear in the literature satisfy this 
restriction. 
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Definition 3.3 An adversary schema Advs for a probabilistic automaton M is execution closed 
if, for each A G Advs and each finite execution fragment a £ frag*(M), there exists an 
adversary A' G Advs such that for each execution fragment a' £ frag*(M) with Istate(a) = 
fstate(a'), A'(a') = A(a^a'). ■ 



Theorem 3.4 Let Advs be an execution closed adversary schema for a probabilistic timed 
automaton M, and let U, U', U" be sets of states of M . 
If U -^Advs U' and U' -^Advs U" , then U t ^ A dvs U" . 

Pl P2 PlP2 



Proof sketch. Consider an adversary A G Advs that acts on M starting from a state s of 
U. The execution automaton H(M,A,s) contains executions where a state from U' is reached 
within time ti. Consider one of those executions a and consider the part H of H(M,A,s) 
after the first occurrence of a state from U' in a. The key idea of the proof is to use execution 
closure of Advs to show that there is an adversary that generates H, to use U' —^Advs U" to 

P2 

show that in H a state from U" is reached within time t 2 with probability at least p 2 , and to 
integrate this last result in the computation of the probability of reaching a state from U" in 
H(M, A, s) within time t 1 +t 2 . ■ 



4 Independence 



Example 4.1 Consider any distributed algorithm where each process is allowed to flip fair 
coins. It is common to say "If the next coin flip of process P yields head and the next coin 
flip of process Q yields tail, then some good property (f> holds." Can we conclude that the 
probability for (f> to hold is 1/4? That is, can we assume that the coin flips of processes P and Q 
are independent? The two coin flips are indeed independent of each other, but the presence of 
non-oblivious adversaries may introduce some dependence. An adversary can schedule process 
P to flip its coin and then schedule process Q only if the coin flip of process P yielded head. 
As a result, if both P and Q flip a coin, the probability that P yields head and Q yields tail 
is 1/2. ■ 



Thus, it is necessary to be extremely careful about independence assumptions. It is also 
important to pay attention to potential ambiguities of informal arguments. For example, does 
(f> hold if process P flips a coin yielding head and process Q does not flip any coin? Certainly 
such an ambiguity can be avoided by expressing each event in a formal model. 

In this section we present two event schemas that play a key role in the detailed time 
bound proof for the Lehmann- Rabin algorithm (cf. appendix), and we show some partial 
independence properties for them. The first event schema is a generalization of the informal 
statement of Example 4.1, where a coin flip is replaced by a generic action a, and where it is 
assumed that an event contains all the executions where a is not scheduled; the second event 
schema is used to analyze the outcome of the first random draw that occurs among a fixed set 
of random draws. A consequence of the partial independence results that we show below is 
that under any adversary the property (f> of Example 4.1 holds with probability at least 1/4. 
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Let (a, U) be a pair consisting of an action of M and a set of states of M. The event schema 
first(<2, U) is the function that, given an execution automaton H , returns the set of maximal 
executions of H where either action a does not occur, or action a occurs and the state reached 
after the first occurrence of a is a state of U . This event schema is used to express properties 
like "the i th coin yields left". For example a can be flip and U can be the set of states of 
M where the result of the coin flip is left. 

Let (a l5 Ui), . . . , (a n , U n ) be a sequence of pairs consisting of an action of M and a set 
of states of M such that for each 1 < i < j ' < n, a, cij. Define the event schema 
NEXT((a l5 Ui), . . . , (a„, U n )) to be the function that applied to an execution automaton H 
gives the set of maximal executions of H where either no action from {a l5 . . . , a n } occurs, or 
at least one action from {a l5 . . . , a n } occurs and, if a, is the first action that occurs, the state 
reached after the first occurrence of a, is in Ui. This kind of event schema is used to express 
properties like "the first coin that is flipped yields left." 

Proposition 4.2 Let H be an execution automaton of a probabilistic automaton M. Further- 
more, let (a l5 Ui), . . ., (a n , U n ) be pairs consisting of an action of M and a set of states of M 
such that for each i,j,l<i<j< n, a, aj . Finally, let p l5 . . . ,p n be real numbers between 
and 1 such that for each i, 1 < i < n, and each step (s, a, (0, J 7 , P)) £ steps(M) with a = a i; 
the probability P[Ui fl 0] is greater than or equal to p i; i.e., P[Ui fl 0] > Pi. Then 

1. Pff[(FIRST(ai, Ui) fl • • • fl FlRST(a n , U n )){H)} > pi • • -p n , 

2. P H [next((oi, Ui),..., (a„, U n )){H)]> min{p u . . . ,p n ). ■ 

5 The Lehmann-Rabin Algorithm 

The Lehmann-Rabin algorithm is a randomized algorithm for the Dining Philosophers problem. 
This problem involves the allocation of n resources among n competing processes arranged in a 
ring. The resources are considered to be interspersed between the processes, and each process 
requires both its adjacent resources in order to reach its critical section. All processes are 
identical; the algorithm breaks symmetry by using randomization. The algorithm ensures the 
required exclusive possession of resources, and also ensures that, with probability 1, some 
process is always permitted to make progress into its critical region. 

Figure 1 shows the code for a generic process i. The n resources are represented by n shared 
variables Res l5 . . . , Res n , each of which can assume values in {free, taken}. Each process i ig- 
nores its own name, i, and the names, Res;_i and Res,, of its adjacent resources. However, each 
process i is able to refer to its adjacent resources by relative names: Res(j i eft ) is the resource 
located to the left (clockwise), and Res( J)r ig ht ) is the resource to the right (counterclockwise) 
of i. Each process has a private variable m,, which can assume a value in {left, right}, and 
is used to keep track of the first resource to be handled. For notational convenience we define 
an operator opp that complements the value of its argument, i.e., opp(right) = left and 
opp(left) = right. 
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Shared variables: ReSj £ {free, taken}, j = 1, . . . ,n, initially free. 



Local variables: G {left, right}, i = 1, . . .,ra 
Code for process i: 



try 

< U; <— random> 



** 



** beginning of Trying Section ** 
choose left or right with equal probability ** 



< if Res 



0>,) 



Res 



0>,) 



free then 
= taken 



else goto 2. > 

< if Res(j i0pp ( Ui )) = free then 

R es (i,opp(u,)) := taken; 
goto 5. > 

< Res( 8 ' )tli ) := free; goto l.> 
crit 

** Critical Section ** 
exit 

< Ui <— left or right 

Res( 8>P p( tli )) := free > 

< Res( i)tli ) := free > 
rem 

** Remainder Section ** 



** 



pick up first resource 



** 



pick up second resource 



** 



** 



** put down first resource ** 
** end of Trying Section ** 

** beginning of Exit Section ** 
** nondeterministic choice ** 
** put down first resources ** 
** put down second resources ** 



** 



end of Exit Section 



** 



Figure 1: The Lehmann- Rabin algorithm 



The atomic actions of the code are individual resource accesses, and they are represented 
in the form < atomic- action> in Figure 1. We assume that at most one process has access to 
the shared resource at each time. 

An informal description of the procedure is "choose a side randomly in each iteration. 
Wait for the resource on the chosen side, and, after getting it, just check once for the second 
resource. If this check succeeds, then proceed to the critical region. Otherwise, put down the 
first resource and try again with a new random choice." 

Each process exchanges messages with an external user. In its idle state, a process is in its 
remainder region R. When triggered by a try message from the user, it enters the competition 
to get its resources: we say that it enters its trying region T. When the resources are obtained, 
it sends a crit message informing the user of the possession of these resources: we then say 
that the process is in its critical region C . When triggered by an exit message from the user, 
it begins relinquishing its resources: we then say that the process is in its exit region E. When 
the resources are relinquished its sends a rem message to the user and enters its remainder 
region. 
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6 Overview of the Proof 



In this section, we give our high-level overview of the proof. We first introduce some notation, 
then sketch the proof strategy at a high level. Details of the proof appear in the Appendix. 

6.1 Notation 

In this section we define a probabilistic automaton M which describes the system of Section 5. 
We assume that process i + 1 is on the right of process i and that resource Res, is between 
processes i and i + 1. We also identify labels modulo n so that, for instance, process n + 1 
coincides with process 1. 

A state s of M is a tuple . . . , X n , Res l5 . . . , Res n , /) containing the local state X 8 - of 
each process i, the value of each resource Res,, and the current time /. Each local state X 8 - 
is a pair (pc^Ui) consisting of a program counter pc i and the local variable The program 
counter of each process keeps track of the current instruction in the code of Figure 1. Rather 
then representing the value of the program counter with a number, we use a more suggestive 
notation which is explained in the table below. Also, the execution of each instruction is 
represented by an action. Only actions try i5 crit,, rem;, exit, below are external actions. 



Number 




Action name 


Informal meaning 





R 




Reminder region 


1 


F 


flip, 


Ready to Flip 


2 


W 


wait; 


Waiting for first resource 


3 


s 


second; 


Checking for Second resource 


4 


D 


dro Pi 


Dropping first resource 


5 


P 


critj 


Pre-critical region 


6 


C 


exit; 


Critical region 


7 


E F 


dropf 8 . 


Exit: drop First resource 


8 


E s 


dropsy 


Exit: drop Second resource 


9 


E R 


rem,- 


Exit: move to Reminder region 



The start state of M assigns the value free to all the shared variables Res,, the value R to 
each program counter pc 8 -, and an arbitrary value to each variable The transition relation 
of M is derived directly from Figure 1. For example, for each state where pc i = F there is an 
internal step flip, that changes pc i into W and assigns left to m 8 - with probability 1/2 and 
right to Ui with probability 1/2; from each state where X 8 - = (W, lef t) there is a step wait; 
that does not change the state if Res( 8) i e f t ) = taken, and changes pc i into S and Res( 8) i e f t ) 
into taken if Res( 8) i e f t ) = free; for each state where pc i = E F there are two steps with action 
dropfj-: one step sets m 8 - to right and makes Res( 8) i e f t ) free, and the other step sets m 8 - to left 
makes Res( Jjr ig ht ) free. The two separate steps correspond to a nondeterministic choice that is 
left to the adversary. For time passage steps we assume that at any point an arbitrary amount 
of time can pass; thus, from each state of M and each positive 8 there is a time passage step 
that increases the time component of 8 and does not affect the rest of the state. 
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The value of each pair X, can be represented concisely by the value of pc i and an arrow (to 
the left or to the right) which describes the value of m,. Thus, informally, a process i is in state 
_5 or D (resp. S_ or D) when i is in state S or D while holding its right (resp. left) resource; 
process i is in state W (resp. W) when i is waiting for its right (resp. left) resource to become 
free; process i is in state Es (resp. Es) when i is in its exit region and it is still holding its 
right (resp. left) resource. Sometimes we are interested in sets of pairs; for example, whenever 
pc 8 - = F the value of is irrelevant. With the simple value of pc 8 - we denote the set of the 
two pairs {(pc i5 left), (pc i5 right)}. Finally, with the symbol # we denote any pair where 
pc i £ {W, S, D}. The arrow notation is used as before. 

For each state s = (X , ■ ■ ■ , X n _i, Res l5 . . . , Res„_i, /) of M we denote by X 8 (s) the pair 
Xi and by ReSj(s) the value of the shared variable Res, in state s. Also, for any set S of 
states of a process i, we denote by X, £ S , or alternatively X, = S the set of states s of M 
such that Xi(s) £ S. Sometimes we abuse notation in the sense that we write expressions like 
Xi £ {F, D} with the meaning X { £ F U D. Finally, we write X { = E for X { = {E F , E s , E R }, 
and we write X { = F for X { £ {F, W,S,D,P}. 

A first basic lemma states that a reachable state of M is uniquely determined by the local 
states its processes and the current time. Based on this lemma, our further specifications of 
state sets will not refer to the shared variables; however, we consider only reachable states for 
the analysis. The proof of the lemma is a standard proof of invariants. 

Lemma 6.1 For each reachable state s of M and each i, 1 < i < n, ReSi = taken iff X 8 (s) £ 
{ D , P, C, E F , Es} or X i+ i(s) £ {S_, D_,P,C,E F ,Es}. Moreover, for each reachable state 

s of M and each i, 1 < i < n, it is not the case that X 8 (s) £ _D , P, C, E F , Es} and 

X i+ i(s) £ {S_, D_,P,C,EF,Es} f i.e., only one process at a time can hold one resource. ■ 

6.2 Proof Sketch 

In this section we show that the RL-algorithm guarantees time bounded progress, i.e., that 
from every state where some process is in its trying region, some process subsequently enters 
its critical region within an expected constant time bound. We assume that each process that 
is ready to perform a step does so within time 1: process i is ready to perform a step whenever 
it enables an action different from try 8 - or exit,. Actions try 8 - and exit, are supposed to be 
under the control of the user, and hence, by assumption, under the control of the adversary. 

Formally, consider the probabilistic timed automaton M of Section 6.1. Define Unit — Fime 
to be the set of adversaries A for M having the properties that, for every finite execution 
fragment a of M and every execution a' of H(M,A,a), 1) the time in a' is not bounded and 
2) for every process i and every state of a' enabling an action of process i different from try 8 - 
and exit;, there exists a step in a' involving process i within time 1. Then Unit — Fime is 
execution-closed according to Definition 3.3. An informal justification of this fact is that the 
constraint that each ready process is scheduled within time 1 knowing that a^-a' has occurred 
only reinforces the constraint that each ready process is scheduled within time 1 knowing that 
a' has occurred. Let 

T = {s £ rstates(M) \ 3,-X,-(s) £ {T}} 
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denote the sets of reachable states of M where some process is in its trying region, and let 

C = {s £ rstates(M) | 3,-X,-(s) = C} 

denote the sets of reachable states of M where some process is in its critical region. We show 
that 

1 i Unit— Time ^ ? 
1/8 

i.e., that, starting from any reachable state where some process is in its trying region, for all 
the adversaries of Unit — Time, with probability at least 1/8, some process enters its critical 
region within time 13. Note that this property is trivially satisfied if some process is initially 
in its critical region. 

Our proof is divided into several phases, each one concerned with the property of making 
a partial time bounded progress toward a "success state", i.e., a state of C. The sets of states 
associated with the different phases are expressed in terms of T, 1ZT, J 7 , Q, V, and C. Here, 

UT = {s £ T I V,-X,-(s) £ {E R ,R,T}} 

is the set of states where at least one process is in its trying region and where no process is in 
its critical region or holds resources while being in its exit region. 

T = {seKT\ 3iXi(s) = F} 

is the set of states of 1ZT where some process is ready to flip a coin. 

V = {s £ rstates(M) \ BiX^s) = P} 

is the sets of reachable states of M where some process is in its pre-critical region. The set 
Q is the most important for the analysis. It parallels the set of "Good Pairs"in [?] or the set 
described in Lemma 4 of [?]. To motivate the definition, we define the following notions. We 
say that a process i is committed if X, £ {W, S}, and that a process i potentially controls Res, 
(resp. ReSj_i) if X, £ {W, S , D} (resp. X, £ {W, S ,D}). Informally said, a state in 1ZT 
is in Q if and only if there is a committed process whose second resource is not potentially 
controlled by another process. Such a process is called a good process. Formally, 

G = {seUT\ 3,- Xi(s) £ {W, 5} and X i+1 (s) £ {E R ,R,F,#}, or 
Xi(s) £ {§,5} and X^s) £ {E R ,R,F,f}} 

Reaching a state of Q is a substantial progress toward reaching a state of C. Actually, the proof 
of Proposition A. 11 establishes that, if i a is good process, then, with probability 1/4, one of 
the three processes i — 1, i and i + 1 soon succeeds in getting its two resources. The hard part 
is to establish that, with constant probability, within a constant time, Q is reached from any 
state in T. A close inspection of the proof given in [?] shows that, there, the timed version 
of the techniques used is unable to deliver this result. The phases of our proof are formally 
described below. 
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T UT U C (Proposition A. 3), 

TIT T U Q U 7? (Proposition A. 15), 
F-j^QUV (Proposition A. 14), 

^ V (Proposition A. 11), 

1/4 v 7 

7-* — ► C (Proposition A.l). 

The first statement states that, within time 2, every process in its exit region relinquishes its 
resources. By combining the statements above by means of Proposition 3.2 and Theorem 3.4 
we obtain 

T C, 

1/8 ' 

which is the property that was to be proven. Using the results of the proof summary above, 
we can furthermore derive a constant upper bound on the expected time required to reach 
a state of C when departing from a state of T. Note that, departing from a state in 1ZT, 
with probability at least 1/8, V is reached in time (at most) 10; with probability at most 1/2, 
time 5 is spent before failing to reach Q U V ("failure at the third arrow"); with probability at 
most 7/8, time 10 is spent before failing to reach V ("failure at the fourth arrow"). If failure 
occurs, then the state is back into 1ZT. Let V denote a random variable satisfying the following 
induction 

V = 1/8 • 10 + 1/2 (5 + Vi) + 3/8 (10 + V 2 ) , 

where Vi and V 2 are random variables having the same distribution as V. The previous 
discussion shows that the expected time spent from 1ZT to V is at most By taking 

expectation in the previous equation, and using that E[V] = E[Vi] = E[V 2 ], we obtain that 
E[V] = 60 is an upper bound on the expected time spent from 1ZT to V, and that, consequently, 
the expected time for progress starting from a state of T is at most 63. 



7 Concluding Remarks 

This paper has presented a formal model and a formal proof technique for the estimation of 
time performance of randomized algorithms that run under the control of general classes of 
adversaries. The salient aspect of this technique is to prove probabilistic time bounded progress 
properties and to compose them by means of a powerful composability theorem. The power 
of the proof method has been illustrated by proving a constant upper bound on the expected 
time for progress in the Lehmann- Rabin Dining Philosophers algorithm. 

We believe that this technique is applicable towards the time analysis of many randomized 
protocols. It is desirable that the general model and this technique be used for the analysis of 
other algorithms, so that the power of the method can be tested and/or increased by means 
of other additional tools. In particular, it is very likely that new event schemas and partial 
independence results similar to those of Section 4 can be developed. 

The specific results about the Lehmann- Rabin Dining Philosophers algorithm can be com- 
plemented and extended in many ways. We cite two. First, it would be very satisfying to 
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derive a non trivial lower bound on the time for progress, which should be lower than our 
upper bound since the upper bound could be easily improved by means of a finer analysis. 
Second, it would be interesting to consider topologies that are more general than rings. 



13 



Appendix 



A The Detailed Proof 

In this appendix we prove the five relations used in Section 6.2. However, for the sake of 
clarity, we do not prove the relations in the order they were presented. Throughout the proof 
we abuse notation by writing events of the kind FlRST(f lip s - , left) meaning the event schema 
FlRST(flip 8 .,{s G states(M) | X 8 (s) = W}). 

Proposition A.l If some process is in P, then, within time 1, it enters C, i.e., 

V C. 

i 

Proof. This step corresponds to the action crit: within time 1, process i informs the user 
that the critical region is free. ■ 

Lemma A. 2 If some process is in its Exit region then, within time 3, it will enter R. 

Proof. The process needs to take first two steps to relinquish its two resources, and then one 
step to send a rem message to the user. ■ 

Proposition A. 3 T TIT U C. 

Proof. From Lemma A. 2 within time 2 every process that begins in E F or E s relinquishes 
its resources. If no process begins in C or enters C in the meantime, then the state reached 
at this point is a state of TZT; otherwise, the starting state or the state reached when the first 
process enters C is a state of C. ■ 

We now turn to the proof of Q 'P- The following lemmas form a detailed cases analysis 

of the different situations that can arise in states of Q . Informally, each lemma shows that 
some event of the form of Proposition 4.2 is a sub-event of the properties of reaching some 
other state. 

Lemma A. 4 

1. Assume that G {E R , R, F} and X, = W. 7fFlRST(f lip i _ 1 , lef t), then, within time 
1, either = P or X, = S . 

2. Assume that = D and X, = W. //"FlRST(f lip i _ 1 , lef t), then, within time 2, either 
Xi_ x = P or Xi = S. *~ 

3. Assume that = S and Xi = W. If FlRST(f lip i _ 1 , lef t), then, within time 3, either 
Xi_ x = P or Xi = S. *~ 
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4- Assume that = W and X, = W. If FlRST(f lip i _ 1 , lef t), then, within time 4, 

either = P or X, = S . 

Proof. The four proofs start in the same way. Let s be a state of M satisfying the respective 
properties of items 1 or 2 or 3 or 4- Let / be an adversary of Unit — Time, and let a be the 
execution of M that corresponds to an execution of H(M, {s}, /) where the result of the first 
coin flip of process i — 1 is left. 

1. By hypothesis, i — 1 does not hold any resource at the beginning of a and has to obtain 
ReSj_ 2 (its left resource) before pursuing Res;_i. Within time 1, i takes a step in a. If 
i — 1 does not hold Res;_i when i takes this step, then i progresses into configuration S. 
If not, it must be the case that i — 1 succeeded in getting it in the meanwhile. But, in 
this case, Res;_i was the second resource needed by i — 1 and i — 1 therefore entered P. 

2. If Xi = S within time 1, then we are done. Otherwise, after one unit of time, X 8 - is still 
equal to W , i.e., Xi(s') = W for all states s' reached in time 1. However, also process 
i — 1 takes a step within time 1. Let a = ai^-a 2 such that the last step of is the first 
step taken by process i — 1. Then Xi_i(fstate(a2)) = F and Xiifstateia^)) = W. Since 
process i — 1 did not flip any coin during o^, from the execution closure of Unit — Time 
and item 1 we conclude. 

3. If Xi = S within time 1, then we are done. Otherwise, after one unit of time, X, is still 
equal to W, i.e., X 8 (s') = W for all states s' reached in time 1. However, also process 
i — 1 takes a step within time 1. Let a = ai^-a 2 such that the last step of is the first 
step taken by process i — 1. If Xi_i(fstate(a2)) = P then we are also done. Otherwise it 
must be the case that Xi_i(fstate(a2)) = D and Xiifstateia^)) = W. Since process i — 1 
did not flip any coin during o^, from the execution closure of Unit — Time and item 2 
we conclude. 

4. If Xi = S within time 1, then we are done. Otherwise, after one unit of time, X, is still 
equal to W, i.e., X 8 (s') = W for all states s' reached in time 1. However, since within 
time 1 process i checks its left resource and fails, process i — 1 gets its right resource 
within time 1, and hence reaches at least state S. Let a = ai^-a 2 where the last step 
of ai is the first step of a leading process i — 1 to state S . Then Xi_i(fstate(a2)) = S 
and Xiifstateia^)) = W. Since process i — 1 did not flip any coin during o^, from the 
execution closure of Unit — Time and item 3 we conclude. ■ 

Lemma A. 5 Assume that Xi_ x £ {E R ,R,T} and Xi = W. 7f FlRST(f lip^, left), then, 
within time 4, either X 8 -_i = P or Xi = S . 

Proof. The lemma follows immediately from Lemma A. 4 after observing that Xj.! £ {E R , R,T} 
means X^ £ {E R , R, F,W,S,D,P}. ■ 

The next lemma is a useful tool for the proofs of Lemmas A. 7, A. 8, and A. 9. 
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Lemma A. 6 Assume that X { G {W, S_ } or X { G {E R ,R,F,D} with FlRST(f lip s -, left), and 
assume that X i+1 G {W, S^} or X i+1 G {E R , R, F, D} with FlRST(flip i+1 , right). Fhen the 
first of the two processes i or i + 1 testing its second resource enters P after having performed 
this test (if this time ever comes). 

Proof. By Lemma 6.1 Res, is free. Moreover, Res, is the second resource needed by both i 
and i + 1. Whichever tests for it first gets it and enters P. ■ 

Lemma A. 7 If X, = S_ and X i+ i G {W, S^} then, within time 1, one of the two processes i 
or i + 1 enters P. Fhe same result holds if X, G {W, S} and X i+ i = _5 . 

Proof. Being in state S , process i tests its second resource within time 1. An application of 
Lemma A. 6 finishes the proof. ■ 

Lemma A. 8 Assume that X 8 - = S_ and X i+1 G {E R ,R,F,D}. If FlRST(f lip i+1 , right), 
then, within time 1, one of the two processes i or i + 1 enters P. Fhe same result holds if 
Xi G {E R , R, F, D}, X i+1 = _5 and FlRST(f lip s -, left). 

Proof. Being in state S , process i tests its second resource within time 1. An application of 
Lemma A. 6 finishes the proof. ■ 

Lemma A. 9 Assume that X { _ x G {E R ,R,F}, X { = W, and X i+1 G {E R , R, F,W, D). If 
FlRST(f lip i _ 1 , lef t) and FlRST(flip i+1 , right), then within time 5 one of the three processes 
i — 1, i or i + 1 enters P. 

Proof. Let s be a state of M such that A J _ 1 (s) G {E R , R,F}, A 8 (s) = W, and A J+1 (s) G 
{E R , R, F, W, D}. Let / be an adversary of Unit — Fime, and let a be the execution of M that 
corresponds to an execution of H(M,{s},f) where the result of the first coin flip of process 
i — 1 is left and the result of the first coin flip of process i + 1 is right. By Lemma A. 5, within 
time 4 either process i — 1 reaches configuration P in a or process i reaches configuration S_ 
ma. If i — 1 reaches configuration P, then we are done. If not, then let a = ai^-a 2 such that 
Istate(ai) is the first state s' of a with Xi(s') = S_. If i + 1 enters P before the end of o^, 
then we are done. Otherwise, X i+ i(fstate(a2)) is either in {W, _5} or it is in {E R , R, F, D} 
and process i + 1 has not flipped any coin yet in a. From execution closure of Unit — Fime 
we can then apply Lemma A. 6: within one more time process i tests its second resource and 
by Lemma A. 6 process i enters P if process i + 1 did not check its second resource in the 
meantime. If process i + 1 checks its second resource before process i does the same, then by 
Lemma A. 6 process i + 1 enters P. Since process i checks its second resource within time 1, 
process i + 1 enters P within time 1. ■ 

Lemma A. 10 Assume that X { G {E R , R, F, W , D}, X i+1 = W, and X i+2 G {E R ,R,T}. If 
FlRST(f lip,, lef t) and FlRST(flip i+2 , right), then within time 5 one of the three processes i, 
i + 1 or i + 2, enters P. 
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Proof. The proof is analogous to the one of Lemma A. 9. This lemma is essentially the 
symmetric case of Lemma A. 9. ■ 



Proposition A. 11 Starting from a global configuration in Q , then, with probability at least 
1/4 and within time at most 5, some process enters P. Equivalently: 




Proof. Lemmas A. 7 and A. 8 jointly treat the case where = S_ and X i+ i £ {E R , R, F, 
and the symmetric case where £ {E R , R, F, and X i+ i = Lemmas A. 9 and A. 10 
jointly treat the case where = W and X i+ i £ {E R , R, F, W, D } and the symmetric case 
where X { £ {E R , R, F, W, D} and X i+1 = W. 

Specifically, each lemma shows that a compound event of the kind FlRST(f lip,, x) and 
FlRST(flip-,y) leads to V. Each of the basic events FlRST(f lip,-, x) has probability 1/2. 
From Proposition 4.2 each of the compound events has probability at least 1/4. Thus the 
probability of reaching V within time 5 is at least 1/4. ■ 

We now turn to T — ► (/UP. The proof is divided in two parts and constitute the global 

1/2 

argument of the proof of progress. 

Lemma A. 12 Start with a state s of T . If there exists a process i for which A 8 (s) = F and 
(Xi_i, X i+ i) ( #, #), then, with probability at least 1/2 a state of Q U V is reached within 
time 1. 

Proof. If s £ Q U V, then the result is trivial. Let s be a state of T — (Q U V) and let i 
be such that A 8 (s) = F and X i+ i) ^ Assume without loss of generality that 

X i+ i ^ # , i.e., X i+ i £ {E R , R, F, The case for # is similar. Furthermore, we can 

assume that X i+ i £ {E R , R, F, D} since if X i+ i £ {W, S^} then s is already in Q . 

We show that the event NEXT((flip 8 , left), (flip i+1 , right)), which by Proposition 4.2 
has probability at least 1/2, leads in time at most 1 to a state ofQ\JV. Let / be an adversary of 
Unit — Fime, and let a be the execution of M that corresponds to an execution ofH(M, {s}, /) 
where if process i flips before process i + 1 then process i flips left, and if process i + 1 flips 
before process i then process i + 1 flips right. 

Within time 1, i takes one step and reaches W. Let j £ + 1} be the first of i and 
i + 1 that reaches W and let Si be the state reached after the first time process j reaches 
W. If some process reached P in the meantime, then we are done. Otherwise there are two 
cases to consider. If j = i, then, flip, gives left and Xi(si) = W whereas X i+ i is (still) in 
{E R , R, F, D}. Therefore, Si £ Q. If j = i + 1, then flip i+1 gives right and X J+1 (s 1 ) = W 
whereas Xi(si) is (still) F. Therefore, Si £ Q. ■ 

Lemma A. 13 Start with a state s of T . Assume that there exists a process i for which 
Xi(s) = F and for which (X J _ 1 (s), X J+1 (s)) = ( #,#). Fhen, with probability at least 1/2, 
within time 2, a state of Q U V is reached. 
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Proof. The hypothesis can be summarized into the form (X J _ 1 (s), X 8 (s), X J+1 (s)) = ( # , F, # ). 
Since i — 1 and i + 1 point in different directions , by moving to the right of i + 1 there is a process 
k pointing to the left such that process k + 1 either points to the right or is in {E R , R, F, P}, 

1. e., X k (s) G {W,£,D} and X k+1 (s) G {E R , R, F, W, 5 , D , P}. If X k (s) G {W,S_} and 
X fc+1 (s) 7^ P then and we are done; if X k+ i(s) = P then s G V and we are done. Thus, 
we can restrict our attention to the case where X k (s) = D. 

We show that the event NEXT((f lip fc , left), (flipj. +1 , right)), which by Proposition 4.2 
has probability at least 1/2, leads in time at most 2 to Q U V . Let / be an adversary of 
Unit — Time, and let a be the execution of M that corresponds to an execution of H(M, {s}, /) 
where if process k flips before process k + 1 then process k flips left, and if process k + 1 flips 
before process k then process k + 1 flips right. 

Within time 2, process k takes at least two steps and hence goes to configuration W. Let 
j G {k, k + 1} be the first of k and A; + 1 that reaches W and let Si be the state reached after the 
first time process j reaches W. If some process reached P in the meantime, then we are done. 
Otherwise there are two cases to consider. If j = k, then, flipj. gives left and X k (si) = W 

whereas X k+ i is (still) in {E R ,R,F,j^}. Therefore, Si G Q. If j = k + 1, then flipj. +1 gives 
right and X fc+1 (s 1 ) = W whereas X k (si) is (still) in {D_,F}. Therefore, Si G Q. ■ 

Proposition A. 14 Start with a state s of T . Then, with probability at least 1/2, within time 

2, a state of Q U V is reached. Equivalently: 

T QUV. 

1/2 

Proof. The hypothesis of Lemmas A. 12 and A. 13 form a partition of T . ■ 
Finally, we prove TIF T U Q U V. 



Proposition A. 15 Starting from a state s of VJT , then, within time 3, a state of T U Q U V 
is reached. Equivalently: 

vjt fuquv. 



Proof. Let s be a state of VJT . If s G F U Q U V , then we are trivially done. Suppose that 
s G" F U Q U V . Then in s each process is in {E R , R, W, S, D} and there exists at least process 
in {W, S, D}. Let / be an adversary of Unit — Time, and let a be the execution of M that 
corresponds to an execution of H(M, {s}, /). 

We first argue that within time 1 some process reaches a state of {S,D,F} in a. This 
is trivially true if in state s there is some process in {S,D}. If this is not the case, then all 
processes are either in E R or R or W. Within time 1 some process in R or W takes a step. 
If the first process not in E R taking a step started in E R or R, then it reaches F and we are 
done; if the first process taking a step is in W, then it reaches S since in s no resource is held. 
Once a process i is in {S, D, F}, then within two more time units process i reaches either state 
F or P, and we are done. ■ 
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